* Allow simple alphanumeric style attribute values in the htmlscrubber. This
should be safe from javascript attacks.master
joey
parent
68ae662e6f
commit
a8fa52080d
|
|
@ -31,7 +31,8 @@ sub scrubber { #{{{
|
|||
span strike strong sub sup table tbody td textarea
|
||||
tfoot th thead tr tt u ul var
|
||||
}],
|
||||
default => [undef, { map { $_ => 1 } qw{
|
||||
default => [undef, { (
|
||||
map { $_ => 1 } qw{
|
||||
abbr accept accept-charset accesskey action
|
||||
align alt axis border cellpadding cellspacing
|
||||
char charoff charset checked cite class
|
||||
|
|
@ -44,7 +45,11 @@ sub scrubber { #{{{
|
|||
selected shape size span src start summary
|
||||
tabindex target title type usemap valign
|
||||
value vspace width
|
||||
}, "/" => 1, # emit proper <hr /> XHTML
|
||||
} ),
|
||||
"/" => 1, # emit proper <hr /> XHTML
|
||||
"style" => qr{^[-a-zA-Z0-9]+$}, # only very simple
|
||||
# references allowed,
|
||||
# to avoid javascript
|
||||
}],
|
||||
);
|
||||
return $_scrubber;
|
||||
|
|
|
|||
|
|
@ -7,8 +7,10 @@ ikiwiki (2.4) UNRELEASED; urgency=low
|
|||
* Support building on systems that lack asprintf.
|
||||
* mercurial getctime is currently broken, apparently by some change in
|
||||
mercurial version 0.9.4. Turn the failing test case into a TODO test case.
|
||||
* Allow simple alphanumeric style attribute values in the htmlscrubber. This
|
||||
should be safe from javascript attacks.
|
||||
|
||||
-- Joey Hess <joeyh@debian.org> Sun, 08 Jul 2007 20:25:00 -0400
|
||||
-- Joey Hess <joeyh@debian.org> Wed, 11 Jul 2007 12:23:41 -0400
|
||||
|
||||
ikiwiki (2.3) unstable; urgency=low
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,12 @@ to avoid XSS attacks and the like.
|
|||
It excludes all html tags and attributes except for those that are
|
||||
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
|
||||
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
|
||||
Notably it strips `style`, `link`, and the `style` attribute.
|
||||
Notably it strips `style` and `link`.
|
||||
|
||||
For the `style` attribute, it varys slightly from the Universal Feed
|
||||
Parser, accepting simple alphanumeric style attributes (style="foo"), but
|
||||
stripping anything more complex to avoid any of the ways to insert
|
||||
JavaScript via style attributes.
|
||||
|
||||
It uses the [[cpan HTML::Scrubber]] perl module to perform its html
|
||||
sanitisation, and this perl module also deals with various entity encoding
|
||||
|
|
@ -36,3 +41,4 @@ plugin is active:
|
|||
* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>
|
||||
* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span>
|
||||
* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span>
|
||||
* <span style="pretty">OTOH, this is ok, and will be accepted</a>
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ msgid ""
|
|||
msgstr ""
|
||||
"Project-Id-Version: PACKAGE VERSION\n"
|
||||
"Report-Msgid-Bugs-To: \n"
|
||||
"POT-Creation-Date: 2007-07-08 20:26-0400\n"
|
||||
"POT-Creation-Date: 2007-07-11 12:49-0400\n"
|
||||
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
|
||||
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
|
||||
"Language-Team: LANGUAGE <LL@li.org>\n"
|
||||
|
|
|
|||
Loading…
Reference in New Issue